Advertisements

At best that will identify less than a third of the messages produced by
this worm. A permutating and mutating bogus 'Undeliverable e-mail' message
carrying the infection package is more common than the HTML message. Either
type is over 100 KBytes, and will quickly clog a mailbox.

Advertisements

In article <S02bb.43098$>, Phil
Weldon <> writes
>At best that will identify less than a third of the messages produced by
>this worm. A permutating and mutating bogus 'Undeliverable e-mail' message
>carrying the infection package is more common than the HTML message. Either
>type is over 100 KBytes, and will quickly clog a mailbox.
>
>Expect the HTML message body, FROM and SUBJECT to mutate also.
>
>Phil Weldon,
>
>"Simon Burton" <> wrote in message
>news...
>>
>> This was so easy
>>
>> Simon Burton.
..... you're right, I had to use patterns like

[snip]
>>Phil Weldon,
>>
>>"Simon Burton" <> wrote in message
>>news...
>>>
>>> This was so easy
>>>
>>> Simon Burton.
> .... you're right, I had to use patterns like

Almost all the spam I'm receiving has an attachment whose file
type is one of .exe, .bat, .com, .scr, .pif, and a few others. Is
there a way for your Python script to check for that? How do you
do that in Python.

I'm guessing that you are not in the mood for receiving executable
files right now.

Here is a strange thing: I'm using procmail and junkfilter to
dispose of these. I looked at procmail's log, and noticed that
in many cases (but not all) I seem to be receiving exactly 2 spam
emails from each From address. I suppose this worm does not want
me to think I can do something so simple as send a request to one
infected machine asking it to clean itself up.

Simon Burton fed this fish to the penguins on Friday 19 September 2003
11:52 pm:
>
>
>
> This was so easy

Probably helps to have an ISP that inserts the X-Spam-Level header <G>

Was missing too many variants on my runs. So I took it as inspiration
for this (not fully tested) variation which counts up words in both
subject and from headers that match candidate lists.

"""
SwenKill.py Dennis Lee Bieber September 20 2003
Based upon a program presented on comp.lang.python

Checks POP3 headers for hallmarks of a Swen trojan package and
deletes
any qualifying message before it is downloaded (note: depending on
check times, the MUA may still download messages before this routine
has checked them).

Usage:
python swenkill.py pop3.server.address user.name password

If imported, one can create multiple instances of the checker, and
imbed them within their own timing check loop.

Dave Kuhlman fed this fish to the penguins on Saturday 20 September
2003 02:39 pm:
>
> Almost all the spam I'm receiving has an attachment whose file
> type is one of .exe, .bat, .com, .scr, .pif, and a few others. Is
> there a way for your Python script to check for that? How do you
> do that in Python.
>
Checking for the attachment requires scanning the body of the message
-- in effect, downloading it anyway. The script, as is, is only
accessing the headers and performing the delete on the server end.

On Sat, 20 Sep 2003 14:39:49 -0700,
Dave Kuhlman <> wrote:
> Almost all the spam I'm receiving has an attachment whose file
> type is one of .exe, .bat, .com, .scr, .pif, and a few others. Is
> there a way for your Python script to check for that? How do you
> do that in Python.

If you're using Exim as a mail server, you can compile Exim with Python as
an extension language (elspy.sf.net). Rejecting all messages with
executable attachments is then a matter of creating an exim_local_scan.py
file containing:

Quoth "Phil Weldon" <>:
| At best that will identify less than a third of the messages produced by
| this worm. A permutating and mutating bogus 'Undeliverable e-mail' message
| carrying the infection package is more common than the HTML message. Either
| type is over 100 KBytes, and will quickly clog a mailbox.
|
| Expect the HTML message body, FROM and SUBJECT to mutate also.

I've been getting one every two minutes or so for the last couple of
days, so I had to do something this morning. Luckily I have shell
access and fairly conventional UNIX mail delivery, so I put in a
filter on delivery. My criterion is nowhere near as complicated as
the rest of you folks, but after about 6 hours it caught 157 and
missed no more than a dozen. I just look for 'boundary="[a-z]' in
the header. Of course that could easily turn out to catch a legitimate
email ... but of course, with an attachment, and I don't want your
stupid Word document anyway.

The filter is 38 lines of awk (with comments), and a C program to
lock the folder and invoke the awk program.

Share This Page

Welcome to The Coding Forums!

Welcome to the Coding Forums, the place to chat about anything related to programming and coding languages.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to ask questions about coding or chat with the community and help others.
Sign up now!